I think a keylogger still has access to at least 2 of my devices

Hi,


I know I may be a "newbie", I second GeorgeSupport6411's post. I may not be a veteran IT guy, but I've made a living online since 1997, I am a loyal MAC user, and NO QUESTION a victim of a MAC hack and / or virus.


When it comes to security, I follow the "best practices" (strong passwords, not using same PW combos, encryption), but I have been through a week of ****. I have a iMac, MacBook Pro, iPad and an iPhone all were hacked as well as Facebook, Gmail, and other accounts.


The ONLY explanation I could come up with is everything is coming downstream FROM MY KEYCHAIN. My brother worked as head of security for Bank of America for nearly a decade and I wanted to ask what all these strange "Kereros" and before I could even say the word he said, "Apple has been having some issues with Kerberos".I


As I understand it, the problem comes in when you can't connect with Kerberos. To me, that sounds easy as clogging your state with other processes or even finding a redirect.


So, I don't think I am out of the woods yet. I think a keylogger still has access to at least 2 of my devices including my iPhone. Rather than bore you with a long protected string of code (I have plenty), can someone look at this and tell me if it looks "normal"?:


This is from a few hours ago:

Mon Feb 13 00:57:00 PST 2017

creating system keychain entries

...Generating key pair...

...creating certificate...

Serial Number : 1F EF 1D 5C

Issuer Name :

Common Name : com.apple.systemdefault

Org : System Identity

Subject Name :

Common Name : com.apple.systemdefault

Org : System Identity

Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 0B >

alg params : 05 00

Not Before : 08:57:01 Feb 13, 2017

Not After : 08:57:01 Feb 8, 2037

Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >

alg params : 05 00

Pub key Bytes : Length 270 bytes : 30 82 01 0A 02 82 01 01 ...

CSSM Key :

Algorithm : RSA

Key Size : 2048 bits

Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP

Signature : 256 bytes : A6 37 BE 9F 18 31 E5 97 ...

Extension struct : OID : < 06 03 55 1D 0F >

Critical : FALSE

usage : DigitalSignature KeyEncipherment DataEncipherment

Extension struct : OID : < 06 03 55 1D 25 >

Critical : FALSE

purpose 0 : OID : < 06 09 2A 86 48 86 F7 63 64 04 04 >

..cert stored in Keychain.

..identity registered for domain com.apple.systemdefault.

...Generating key pair...

...creating certificate...

Serial Number : 75 6B 04 B4

Issuer Name :

Common Name : com.apple.kerberos.kdc

Org : System Identity

Subject Name :

Common Name : com.apple.kerberos.kdc

Org : System Identity

Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 0B >

alg params : 05 00

Not Before : 08:57:02 Feb 13, 2017

Not After : 08:57:02 Feb 8, 2037

Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >

alg params : 05 00

Pub key Bytes : Length 270 bytes : 30 82 01 0A 02 82 01 01 ...

CSSM Key :

Algorithm : RSA

Key Size : 2048 bits

Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP CSSM_KEYUSE_DERIVE

Signature : 256 bytes : 4A 72 17 B0 FB 68 B2 9C ...

Extension struct : OID : < 06 03 55 1D 0F >

Critical : FALSE

usage : DigitalSignature KeyEncipherment

Extension struct : OID : < 06 03 55 1D 25 >

Critical : FALSE

purpose 0 : OID : < 06 08 2B 06 01 05 05 07 03 01 >

Extension struct : OID : < 06 03 55 1D 25 >

Critical : FALSE

purpose 0 : OID : < 06 07 2B 06 01 05 02 03 05 >

..cert stored in Keychain.

..identity registered for domain com.apple.kerberos.kdc.

added /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc to acl for com.apple.kerberos.kdc

hod-admin: krb5_kt_start_seq_get: keytab /etc/krb5.keytab access failed: No such file or directory

Done LKDC setup

No matching processes were found

Mon Feb 13 00:57:04 PST 2017

creating system keychain entries

...System identity already exists for domain com.apple.systemdefault. Done.

...System identity already exists for domain com.apple.kerberos.kdc. Done.

/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc already in acl

Done LKDC setup

No matching processes were found

Posted on Feb 13, 2017 5:23 AM

24 replies

Feb 15, 2017 3:49 AM in response to Community User

JasonQuinlan667 wrote:


I've heard that is not 100% true,


It appears you have permitted yourself to become misled. Not only is it 100% true, erasing your devices is the only way to eliminate all suspicion of a "keylogger".


However, the likelihood of some rogue software being the cause of your problems is so infinitesimal that it should be summarily disregarded. In that case erasing your devices will not help, and that includes a "seven pass erase". It's an utter waste of time.


It is far more likely that your Apple ID credentials are being used without authorization, and in that case you should follow these instructions: If you think your Apple ID has been compromised - Apple Support.

Feb 15, 2017 7:14 AM in response to Community User

I agree that there is nothing suspicious or even unusual about the EtreCheck reports and I also agree with John Galt and Thomas who are far more knowledgeable than I, that at this point it would be best to secure as many of your on-line accounts as possible with 2FA (especially at this point, your Apple ID). For info on how to do this see this Apple document (link).

Feb 14, 2017 8:05 PM in response to Community User

It's fairly unlikely that you have a keylogger accessing your devices. From the log string it appears that something is corrupt and a circular reference is attempting to duplicate commands. Let's try EtreCheck for some diagnostics. If you are not familiar with EtreCheck it is a utility that will take a look at what is going on in your Mac. Pls post the complete results back here. It does not reveal personal information and was developed by a respected senior user on these forums. Pls click on the blue EtreCheck link or simply Google "etrecheck". You can read about the program and download from that one link.

Nov 22, 2017 5:59 PM in response to pokey b

Yeah, I did that and a 7 pass erase on every disc I have except my iPhone. Same problems keep coming back.


I wiped my iphone, turned off wifi, bluetooth, haven't connected to iCloud and only use cellular.

Nov 22, 2017 5:59 PM in response to pokey b

This is from my "safer" device. Bear in mind it's been wiped of everything as of yesterday:


EtreCheck version: 3.1.5 (343)

Report generated 2017-02-14 20:17:05

Download EtreCheck from https://etrecheck.com

Runtime 1:56

Performance: Excellent


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.


Problem: No problem - just checking


Hardware Information: ⓘ

MacBook Pro (17-inch, Mid 2010)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro6,1

1 2.53 GHz Intel Core i5 (i5) CPU: 2-core

8 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1067 MHz ok

BANK 1/DIMM0

4 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 177


Video Information: ⓘ

Intel HD Graphics

Color LCD 1920 x 1200

NVIDIA GeForce GT 330M - VRAM: 512 MB


System Software: ⓘ

OS X El Capitan 10.11.6 (15G1217) - Time since boot: about one hour


Disk Information: ⓘ

Hitachi HTS725050A9A362 disk0 : (500.11 GB) (Rotational)

[Show SMART report]

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

MACINTOSH HD (disk1) / [Startup]: 498.89 GB (456.88 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 499.25 GB Online


HL-DT-ST DVDRW GS23N ()


USB Information: ⓘ

Apple Computer, Inc. IR Receiver

Apple Inc. Built-in iSight

Apple Inc. BRCM2070 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. Apple Internal Keyboard / Trackpad


Gatekeeper: ⓘ

Mac App Store and identified developers


System Launch Agents: ⓘ

[not loaded] 7 Apple tasks

[loaded] 162 Apple tasks

[running] 70 Apple tasks


System Launch Daemons: ⓘ

[not loaded] 45 Apple tasks

[loaded] 155 Apple tasks

[running] 90 Apple tasks


Internet Plug-ins: ⓘ

Default Browser: 601 - SDK 10.11 (2016-07-08)

QuickTime Plugin: 7.7.3 (2017-02-14)


3rd Party Preference Panes: ⓘ

None


Time Machine: ⓘ

Time Machine not configured!


Top Processes by CPU: ⓘ

97% mdworker(9)

6% plugin-container

5% kernel_task

4% WindowServer

2% fontd


Top Processes by Memory: ⓘ

703 MB kernel_task

549 MB firefox

541 MB plugin-container

475 MB softwareupdated

197 MB mdworker(9)


Virtual Memory Information: ⓘ

3.69 GB Available RAM

2.18 GB Free RAM

4.31 GB Used RAM

1.51 GB Cached files

0 B Swap Used


Diagnostics Information: ⓘ

Feb 14, 2017, 06:30:25 PM Self test - passed

Feb 13, 2017, 07:28:07 PM /Library/Logs/DiagnosticReports/soagent_2017-02-13-192807_[redacted].cpu_resour ce.diag [Details]

/System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/C ontents/MacOS/soagent

Feb 13, 2017, 07:28:07 PM /Library/Logs/DiagnosticReports/callservicesd_2017-02-13-192807_[redacted].cpu_ resource.diag [Details]

/System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd

Feb 13, 2017, 03:00:31 PM /Library/Logs/DiagnosticReports/firefox_2017-02-13-150031_[redacted].cpu_resour ce.diag [Details]

/Applications/Firefox.app/Contents/MacOS/firefox

Feb 13, 2017, 02:18:36 PM ~/Library/Logs/DiagnosticReports/com.apple.preferences.sharing.remoteservice_20 17-02-13-141836_[redacted].crash

/System/Library/PreferencePanes/SharingPref.prefPane/Contents/XPCServices/com.a pple.preferences.sharing.remoteservice.xpc/Contents/MacOS/com.apple.preferences. sharing.remoteservice

Nov 22, 2017 5:59 PM in response to pokey b

This is the other log fresh off a 7 pass disk wipe:

This is from my "safer" device. Bear in mind it's been wiped of everything as of yesterday:


EtreCheck version: 3.1.5 (343)

Report generated 2017-02-14 20:17:05

Download EtreCheck from https://etrecheck.com

Runtime 1:56

Performance: Excellent


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.


Problem: No problem - just checking


Hardware Information: ⓘ

MacBook Pro (17-inch, Mid 2010)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro6,1

1 2.53 GHz Intel Core i5 (i5) CPU: 2-core

8 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1067 MHz ok

BANK 1/DIMM0

4 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 177


Video Information: ⓘ

Intel HD Graphics

Color LCD 1920 x 1200

NVIDIA GeForce GT 330M - VRAM: 512 MB


System Software: ⓘ

OS X El Capitan 10.11.6 (15G1217) - Time since boot: about one hour


Disk Information: ⓘ

Hitachi HTS725050A9A362 disk0 : (500.11 GB) (Rotational)

[Show SMART report]

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

MACINTOSH HD (disk1) / [Startup]: 498.89 GB (456.88 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 499.25 GB Online


HL-DT-ST DVDRW GS23N ()


USB Information: ⓘ

Apple Computer, Inc. IR Receiver

Apple Inc. Built-in iSight

Apple Inc. BRCM2070 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. Apple Internal Keyboard / Trackpad


Gatekeeper: ⓘ

Mac App Store and identified developers


System Launch Agents: ⓘ

[not loaded] 7 Apple tasks

[loaded] 162 Apple tasks

[running] 70 Apple tasks


System Launch Daemons: ⓘ

[not loaded] 45 Apple tasks

[loaded] 155 Apple tasks

[running] 90 Apple tasks


Internet Plug-ins: ⓘ

Default Browser: 601 - SDK 10.11 (2016-07-08)

QuickTime Plugin: 7.7.3 (2017-02-14)


3rd Party Preference Panes: ⓘ

None


Time Machine: ⓘ

Time Machine not configured!


Top Processes by CPU: ⓘ

97% mdworker(9)

6% plugin-container

5% kernel_task

4% WindowServer

2% fontd


Top Processes by Memory: ⓘ

703 MB kernel_task

549 MB firefox

541 MB plugin-container

475 MB softwareupdated

197 MB mdworker(9)


Virtual Memory Information: ⓘ

3.69 GB Available RAM

2.18 GB Free RAM

4.31 GB Used RAM

1.51 GB Cached files

0 B Swap Used


Diagnostics Information: ⓘ

Feb 14, 2017, 06:30:25 PM Self test - passed

Feb 13, 2017, 07:28:07 PM /Library/Logs/DiagnosticReports/soagent_2017-02-13-192807_[redacted].cpu_resour ce.diag [Details]

/System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/C ontents/MacOS/soagent

Feb 13, 2017, 07:28:07 PM /Library/Logs/DiagnosticReports/callservicesd_2017-02-13-192807_[redacted].cpu_ resource.diag [Details]

/System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd

Feb 13, 2017, 03:00:31 PM /Library/Logs/DiagnosticReports/firefox_2017-02-13-150031_[redacted].cpu_resour ce.diag [Details]

/Applications/Firefox.app/Contents/MacOS/firefox

Feb 13, 2017, 02:18:36 PM ~/Library/Logs/DiagnosticReports/com.apple.preferences.sharing.remoteservice_20 17-02-13-141836_[redacted].crash

/System/Library/PreferencePanes/SharingPref.prefPane/Contents/XPCServices/com.a pple.preferences.sharing.remoteservice.xpc/Contents/MacOS/com.apple.preferences. sharing.remoteservice

Nov 22, 2017 5:59 PM in response to pokey b

This is the only think that looks suspect from running etrecheck on all devices:


/etc/sudoers, File size 2299 but expected 1275


I google it and there are discussion in other forums but none in English?


Any ideas?

Feb 15, 2017 5:32 AM in response to Community User

JasonQuinlan667 wrote:


I have 2 step on Facebook and GMail, so I was alerted and was able to stop them on the spot.


That is not an indication that any of your devices were hacked. That is an indication that someone tried - unsuccessfully, due to the 2-factor authorization (2FA) - to get into your Facebook and GMail accounts.


That person may have been able to get into some of your other online accounts that weren't protected by 2FA, but again, this does not remotely imply that your devices were hacked. If a hacker can gain access to one weakly-secured online account, that often provides the information necessary to compromise one or more other accounts, and then the rest of your online accounts fall like dominos. No access to any of your devices is needed. This is why 2FA is so important.


As for your devices... if they had actually been infected, which they were not, then a 7-pass erase does nothing but put wear and tear on the drive. The simplest, no-pass erase is sufficient to eliminate even the worst existing threat that might be installed on the system, so long as you don't turn around and restore threats from a backup. (Restoring documents from backup is just fine.)

Feb 15, 2017 8:17 AM in response to Community User

I've heard that is not 100% true,

There seems to be much you don't understand about computers, but are certain of things you don't know enough about, anyway.


As far as an erase goes, and has been explained, any type of erasure of a drive is 100% effective. And that does not, at any time, need to be a secure of erase of any number of passes. A simple, quick erase is all that's needed. The only thing you're succeeding at with all of these multiple secure erase procedures is bringing your drives to a much quicker death.


Here's an explanation that should help. Say you have a map of the entire U.S. that is large enough to show the name of every single city, town, and one building road stop that exists. With the map, you can navigate through the hundreds or thousands of turns, streets and other roads necessary to get there. Take away the map, and your chances of finding any town would be just short of impossible.


Now apply that to the drive's file table. That is the OS's map of where every file is on the drive. And a drive has millions of sectors. With the file table intact, the OS knows where to go to find the first part of a file, which is marked with a BOF (Beginning Of File) marker. Without knowing where that particular sector is, you have nothing. And since a file of practically any size cannot fit on one sector, the OS has to read hundreds, or thousands of sectors before it finds the end of the file, which is tagged with an EOF (End Of File) marker. Each sector points to the next sector the file's information is on so they can be read in the correct order. Finding any one of those sectors without starting at the first does not help you one bit. You would have no idea if the one you found was part of the file you're looking for, or a different item altogether. It would also result in you only having an incomplete file by randomly starting on a sector and following it to an EOF marker.


That's what happens with even a simple erase. By overwriting the existing file table with a new, blank one, you've thrown away the map. Without it, the OS, or any app has virtually no chance of finding anything on the drive, even though they technically still exist. Recovery software can, but that's because they use a brute force method of reading every single sector on a drive, whether it's on an erased area or not, and look for BOF markers. From there, they can follow each one they find to its EOF marker. But casually finding them is not possible.


As for your concern about a keylogger, they are also a FILE. If you even happened to have one on a given Mac, it cannot in any way affect any other device. It can only work on the device it's on, and then only if you startup to the volume the keylogger is on. It has to load along with the OS during startup. If you startup to a different volume the keylogger is not on, it cannot load. So your entire thesis that a keylogger on one device can somehow affect all of your devices at once is 100% wrong.


As for your iPhone, unless you've jailbroken it, is it extremely unlikely to have any type of malware on it.


If you want help, listen to people who actually know what they're talking about, such as Thomas. His job is searching for, and figuring out how to remove any and all known Mac malware. The stumbling about and guessing you're currently doing is not going to get you anywhere.

Nov 22, 2017 5:59 PM in response to Kurt Lang

Point taken. To say I "Don't understand much about computers" is well, just LOL. I opened this thread saying, "I am not an IT expert." and I'm still not.


Is a Mac susceptible to a hack? In my opinion, yes. I've seen a lot of tiptoeing "Bill Clinton defense tactics" were people say it wasn't a high because it is "x" or you did "y" or "z".


At the end of the day I've been through three major virus MAC crashes, multiple violations regarding my Financial data, personal data, and finances themselves.


I'm not my any means detracting anything from Apple. I own four of their devices as well as a significant holding in stock. I wouldn't be even posting if I wasn't a supporter. LOL


I can't going to too much detail, because law-enforcement is now involved, in July was a victim of theft of items from my house which included tax returns.


At time, I figured my identity was being stolen so I started monitoring my credit, changed to strong / unique passwords, and closed and reopened financial accounts.


Going back through everything in my head, including their access to my social media accounts the only element I can see common to everything is at one stage or another someone me either was a sophisticated keylogger or access to my keychain.


I have been a Macintosh customer for 15 years and through all of the re-brands Mac.com, me.com, and iCloud.com I have had accounts open that I didn't even know about. I am one person. I have primary e-mail, that is all I want! I have even been told by Apple that there is no way to even delete these emails.


Which leads me to think a socially engineered hack. Not very difficult considering that "me" wasn't even sure who "me" really was in 11 different aliases. I wasn't the only one confused, so were the folks the Genius Bar.


In closing, Apple should take a look at possible kerberos vulnerabilities. For a process nicknamed after Hades Guard dog, I want to is bite to remain vicsois

Feb 18, 2017 3:21 AM in response to Community User

It's not good practice, but several legitimate applications do add things to the sudoer's file. On the otherhand, it may be a sign that you've installed something dodgy. To see what has been added open Terminal.app and enter this command:


sudo cat /etc/sudoers


This will only work from an admin account and will ask for the account's password. If you want help interpretting the results, copy and paste them to here.


C.

Nov 22, 2017 5:59 PM in response to cdhw

Thank you, I believe at this point I may have been able thwart any new attack, just by aggravating in real or imagined malicious by virtue for getting my passwords every five minutes. I will your suggestion and this is what I came back with:

Jasons-iMac:~ jasonquinlan$ sudo cat /etc/sudoers

Password:

#

# Sample /etc/sudoers file.

#

# This file MUST be edited with the 'visudo' command as root.

#

# See the sudoers man page for the details on how to write a sudoers file.


##

# Override built-in defaults

##

Defaults env_reset

Defaults env_keep += "BLOCKSIZE"

Defaults env_keep += "COLORFGBG COLORTERM"

Defaults env_keep += "__CF_USER_TEXT_ENCODING"

Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"

Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"

Defaults env_keep += "LINES COLUMNS"

Defaults env_keep += "LSCOLORS"

Defaults env_keep += "SSH_AUTH_SOCK"

Defaults env_keep += "TZ"

Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"

Defaults env_keep += "EDITOR VISUAL"

Defaults env_keep += "HOME MAIL"


Defaults lecture_file = "/etc/sudo_lecture"


##

# User alias specification

##

# User_Alias FULLTIMERS = millert, mikef, dowdy


##

# Runas alias specification

##

# Runas_Alias OP = root, operator


##

# Host alias specification

##

# Host_Alias CUNETS = 128.138.0.0/255.255.0.0

# Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

# Host_Alias SERVERS = master, mail, www, ns

# Host_Alias CDROM = orion, perseus, hercules


##

# Cmnd alias specification

##

# Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less


##

# User specification

##


# root and users in group wheel can run anything on any machine as any user

root ALL = (ALL) ALL

%admin ALL = (ALL) ALL


## Read drop-in files from /private/etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /private/etc/sudoers.d

Jasons-iMac:~ jasonquinlan$


>>> one thing I've learned from this whole ordeal is to not read your computer's and think you have any clue what's going on. That's an easy way to get a state sponsored trip to the loony bin


Do you see anything that doesn't look kosher?

Feb 18, 2017 10:09 AM in response to Community User

Nothing remarkable here. A few lines, seem to have been added in the past, e.g.


# User_Alias FULLTIMERS = millert, mikef, dowdy


# Host_Alias CUNETS = 128.138.0.0/255.255.0.0
# Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

# Host_Alias SERVERS = master, mail, www, ns

# Host_Alias CDROM = orion, perseus, hercules


but they have been commented out rendering them harmless. These are why the file is a bit bigger than EtreCheck expected it to be but are nothing to worry about.


C.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

I think a keylogger still has access to at least 2 of my devices

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.